Fixing issues when using sync-clients with owncloud on apache 2.4 and php-fpm
I recently upgraded from debian wheezy (7.x) to debian jessie (8.x). Apache has been upgraded from 2.2.x to 2.4.x And everything was working fine after some minor tweaks.
I was able to use owncloud with the webinterface (yea, using a browser), but my mobile devices, webmail and local mailclient could not connect to owncloud anymore.
tldr; One must add
SetEnvIf Authorization "(.+)" HTTP_AUTHORIZATION=$$1
to the apache vhost configuration to pass authorization headers to owncloud.
apache 2.2 + php-fpm using mod_fastcgi
This was my setup on apache 2.2.x and php-fpm via mod_fastcgi. I wont post the php-fpm pool configuration here as that has not changed and is pretty straight forward to configure…
<VirtualHost *:443>
ServerName owncloud.example.com
DocumentRoot /home/owncloud/www/owncloud.example.com/
<Directory /home/owncloud/www/owncloud.example.com/>
AllowOverride All
Options FollowSymLinks -Indexes IncludesNoExec
</Directory>
FileETag None
<IfModule mod_headers.c>
Header unset Pragma
Header unset ETag
Header append Cache-Control "public"
</IfModule>
<IfModule mod_expires.c>
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|mp3|mp4|css|js|svg)$">
ExpiresActive On
ExpiresDefault "access plus 1 week"
</FilesMatch>
</IfModule>
<IfModule mod_fastcgi.c>
AddHandler php5-fcgi .php
Action php5-fcgi /php5-fcgi-owncloud
Alias /php5-fcgi-owncloud /usr/lib/cgi-bin/php5-fcgi-owncloud
FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi-owncloud -host 127.0.0.1:9004 -pass-header Authorization -flush -idle-timeout 330
</IfModule>
<IfModule mod_ssl.c>
...
...
</IfModule>
</VirtualHost>
apache 2.4 + php-fpm using mod_proxy_fcgi
The following is the new vhost configuration for apache 2.4. It uses proxy_fcgi to pass requests to php-fpm. There are also several minor differences between the two:
- Require all granted
- must add + / - before all Options
- do not use fastcgi anymore but prefer proxy_fcgi
- pass authorization headers to proxy_fcgi too
Thats the resulting vhost config:
<VirtualHost *:443>
ServerName owncloud.example.com
DocumentRoot /home/owncloud/www/owncloud.example.com/
<Directory /home/owncloud/www/owncloud.example.com/>
Require all granted
AllowOverride All
Options +FollowSymLinks -Indexes +IncludesNoExec
</Directory>
FileETag None
<IfModule mod_headers.c>
Header unset Pragma
Header unset ETag
Header append Cache-Control "public"
</IfModule>
<IfModule mod_expires.c>
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|mp3|mp4|css|js|svg)$">
ExpiresActive On
ExpiresDefault "access plus 1 week"
</FilesMatch>
</IfModule>
<IfModule mod_proxy_fcgi.c>
SetEnvIf Authorization "(.+)" HTTP_AUTHORIZATION=$$1
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9004/home/owncloud/www/owncloud.example.com/$$1
</IfModule>
<IfModule mod_ssl.c>
...
...
</IfModule>
</VirtualHost>
Without the line
SetEnvIf Authorization "(.+)" HTTP_AUTHORIZATION=$$1
Owncloud will function in the browser correctly, but sync clients like smartphones, tablets, mailclients (contacts, etc) will force the following apache errorlog entries:
xx.xx.xx.xx - - [13/May/2015:23:53:59 +0200] "PROPFIND /remote.php/carddav/addressbooks/croessler/contacts4 HTTP/1.1" 401 5267 "-" "RIM"
xx.xx.xx.xx - - [13/May/2015:23:54:00 +0200] "PROPFIND /remote.php/caldav/calendars/croessler/personal/ HTTP/1.1" 401 5267 "-" "RIM"
xx.xx.xx.xx - - [13/May/2015:23:54:02 +0200] "PROPFIND /remote.php/caldav/calendars/croessler/personal/ HTTP/1.1" 401 1445 "-" "RIM"
xx.xx.xx.xx - - [13/May/2015:23:54:05 +0200] "PROPFIND /remote.php/carddav/addressbooks/croessler/contacts4 HTTP/1.1" 401 1445 "-" "RIM"
xx.xx.xx.xx - - [13/May/2015:23:54:11 +0200] "PROPFIND /remote.php/carddav/addressbooks/croessler/contacts4 HTTP/1.1" 401 1445 "-" "RIM"
The client got a http 401 (authorization failed) reponse. Therefore one must pass http-authorization-headers sent by the clients to php-fpm scripts. If done correctly apache errorlog looks like this:
xx.xx.xx.xx - - [14/May/2015:00:00:07 +0200] "PROPFIND /remote.php/carddav/addressbooks/foo/contacts4 HTTP/1.1" 207 5507 "-" "RIM"
Of course one must enable/activate the apache module proxy_fcgi by issuing
a2enmod proxy_fcgi
Must go to bed now.